SB2019101513 - Multiple vulnerabilities in SLUB: Event Registration extension for TYPO3
Published: October 15, 2019 Updated: March 6, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Arbitrary file upload (CVE-ID: CVE-2019-16700)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to the affected software allows to upload arbitrary files to the webserver. A remote attacker can upload and execute arbitrary file on the server (For versions 1.2.2 and below) or cause a denial of service (DoS) condition, since the webspace can be filled up with arbitrary files (versions later than 1.2.2).
2) Prototype pollution (CVE-ID: CVE-2019-11358)
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.
3) Cross-site scripting (CVE-ID: CVE-2015-2531)
The vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability is caused by an input validation error in the jQuery engine in Microsoft Lync Server 2013 and Skype for Business Server 2015. A remote attacker can trick the victim to follow a specially specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.